Date: Thu, 24 Apr 2014 11:25:02 +0200 From: Dan Lukes <dan@obluda.cz> To: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: OpenSSL static analysis, was: De Raadt + FBSD + OpenSSH + hole? Message-ID: <5358D86E.4060306@obluda.cz> In-Reply-To: <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk> References: <10999.1398215531@server1.tristatelogic.com> <50CA7E78-BB5E-4872-A272-B7374627EC12@cederstrand.dk> <B4A7F879-588B-4414-B416-601066C4E61A@mac.com> <546CE3A8-FC87-472F-8A63-0497D0D28789@cederstrand.dk> <F66D539F-0607-4653-9A90-56482671898B@mac.com> <20140424000744.GE15884@in-addr.com> <9330A007-63D2-4930-AB33-4EEE64AEF670@cederstrand.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04/24/14 08:33, Erik Cederstrand: > we need some way of marking them as false positive or wontfix, so the effort isn't duplicated. Out of the 10.000 reports, a conservative guess is that at least 100 of them are real security issues > A year ago, I did a raid on reports about not checking the return value of setuid() and friends, which did uncover real issues. Well, about nine years ago I spent some time to analysis of warnings raised by compiler during 'buildworld' (see bin/71632 for example). Most of them has been false positives of course, but it has been possible to modify the code to avoid them in the future. Just few true issues has been discovered, of course. I created PR and proposed patch for most of them - both bugs and warnings that can be avoided. So many of those PR has left untouched for years. I considered that proactive approach is not welcomed so much. I'm not complaining in any way, it's about my feeling that I wasted my time with activity not considered useful. I fully understand that reviewing of tenths of patches take time and no fun nor honor is related to such kind of work. That is it. Yes, we need "wontfix" mark, or so. But before it, the cleanup of code needs to be recognized as something valuable and important. Heartbleed raised the dust, so we are speaking those issues now. But dust will settle again within few weeks. Reviewing of "just code cleanup" reports will become "not fun/not honor/time costly" task again. A kind of task with no priority. Please note that my skills in English are very limited. I'm not trying to attack the comitters nor anyone else in any way. People tends to have human characteristics (I'm not exception) and not funny tasks that can be delayed will be delayed. I'm just trying to explain why I feel that "we have no code analysis done yet" or "we need wontfix flag" is not most important question. I'm not trying to push anyone. Just asking. If we (volunteers with no commit right) will spend time (and money, may be) to do the analysis, will someone with commit rights take the job, despite it will be time costly task with little of honor, despite the Heartbleed dust will become settled ? Dan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5358D86E.4060306>